GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libssl/ssl_rsa.c Lines: 95 329 28.9 %
Date: 2017-11-13 Branches: 33 147 22.4 %

Line Branch Exec Source
1
/* $OpenBSD: ssl_rsa.c,v 1.28 2017/02/07 02:08:38 beck Exp $ */
2
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3
 * All rights reserved.
4
 *
5
 * This package is an SSL implementation written
6
 * by Eric Young (eay@cryptsoft.com).
7
 * The implementation was written so as to conform with Netscapes SSL.
8
 *
9
 * This library is free for commercial and non-commercial use as long as
10
 * the following conditions are aheared to.  The following conditions
11
 * apply to all code found in this distribution, be it the RC4, RSA,
12
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13
 * included with this distribution is covered by the same copyright terms
14
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15
 *
16
 * Copyright remains Eric Young's, and as such any Copyright notices in
17
 * the code are not to be removed.
18
 * If this package is used in a product, Eric Young should be given attribution
19
 * as the author of the parts of the library used.
20
 * This can be in the form of a textual message at program startup or
21
 * in documentation (online or textual) provided with the package.
22
 *
23
 * Redistribution and use in source and binary forms, with or without
24
 * modification, are permitted provided that the following conditions
25
 * are met:
26
 * 1. Redistributions of source code must retain the copyright
27
 *    notice, this list of conditions and the following disclaimer.
28
 * 2. Redistributions in binary form must reproduce the above copyright
29
 *    notice, this list of conditions and the following disclaimer in the
30
 *    documentation and/or other materials provided with the distribution.
31
 * 3. All advertising materials mentioning features or use of this software
32
 *    must display the following acknowledgement:
33
 *    "This product includes cryptographic software written by
34
 *     Eric Young (eay@cryptsoft.com)"
35
 *    The word 'cryptographic' can be left out if the rouines from the library
36
 *    being used are not cryptographic related :-).
37
 * 4. If you include any Windows specific code (or a derivative thereof) from
38
 *    the apps directory (application code) you must include an acknowledgement:
39
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40
 *
41
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51
 * SUCH DAMAGE.
52
 *
53
 * The licence and distribution terms for any publically available version or
54
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55
 * copied and put under another distribution licence
56
 * [including the GNU Public Licence.]
57
 */
58
59
#include <stdio.h>
60
61
#include "ssl_locl.h"
62
63
#include <openssl/bio.h>
64
#include <openssl/evp.h>
65
#include <openssl/objects.h>
66
#include <openssl/pem.h>
67
#include <openssl/x509.h>
68
69
static int ssl_set_cert(CERT *c, X509 *x509);
70
static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey);
71
static int ssl_ctx_use_certificate_chain_bio(SSL_CTX *, BIO *);
72
73
int
74
SSL_use_certificate(SSL *ssl, X509 *x)
75
{
76
	if (x == NULL) {
77
		SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER);
78
		return (0);
79
	}
80
	if (!ssl_cert_inst(&ssl->cert)) {
81
		SSLerror(ssl, ERR_R_MALLOC_FAILURE);
82
		return (0);
83
	}
84
	return (ssl_set_cert(ssl->cert, x));
85
}
86
87
int
88
SSL_use_certificate_file(SSL *ssl, const char *file, int type)
89
{
90
	int j;
91
	BIO *in;
92
	int ret = 0;
93
	X509 *x = NULL;
94
95
	in = BIO_new(BIO_s_file_internal());
96
	if (in == NULL) {
97
		SSLerror(ssl, ERR_R_BUF_LIB);
98
		goto end;
99
	}
100
101
	if (BIO_read_filename(in, file) <= 0) {
102
		SSLerror(ssl, ERR_R_SYS_LIB);
103
		goto end;
104
	}
105
	if (type == SSL_FILETYPE_ASN1) {
106
		j = ERR_R_ASN1_LIB;
107
		x = d2i_X509_bio(in, NULL);
108
	} else if (type == SSL_FILETYPE_PEM) {
109
		j = ERR_R_PEM_LIB;
110
		x = PEM_read_bio_X509(in, NULL,
111
		    ssl->ctx->default_passwd_callback,
112
		    ssl->ctx->default_passwd_callback_userdata);
113
	} else {
114
		SSLerror(ssl, SSL_R_BAD_SSL_FILETYPE);
115
		goto end;
116
	}
117
118
	if (x == NULL) {
119
		SSLerror(ssl, j);
120
		goto end;
121
	}
122
123
	ret = SSL_use_certificate(ssl, x);
124
end:
125
	X509_free(x);
126
	BIO_free(in);
127
	return (ret);
128
}
129
130
int
131
SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
132
{
133
	X509 *x;
134
	int ret;
135
136
	x = d2i_X509(NULL, &d,(long)len);
137
	if (x == NULL) {
138
		SSLerror(ssl, ERR_R_ASN1_LIB);
139
		return (0);
140
	}
141
142
	ret = SSL_use_certificate(ssl, x);
143
	X509_free(x);
144
	return (ret);
145
}
146
147
int
148
SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
149
{
150
	EVP_PKEY *pkey;
151
	int ret;
152
153
	if (rsa == NULL) {
154
		SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER);
155
		return (0);
156
	}
157
	if (!ssl_cert_inst(&ssl->cert)) {
158
		SSLerror(ssl, ERR_R_MALLOC_FAILURE);
159
		return (0);
160
	}
161
	if ((pkey = EVP_PKEY_new()) == NULL) {
162
		SSLerror(ssl, ERR_R_EVP_LIB);
163
		return (0);
164
	}
165
166
	RSA_up_ref(rsa);
167
	EVP_PKEY_assign_RSA(pkey, rsa);
168
169
	ret = ssl_set_pkey(ssl->cert, pkey);
170
	EVP_PKEY_free(pkey);
171
	return (ret);
172
}
173
174
static int
175
ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
176
{
177
	int i;
178
179
588
	i = ssl_cert_type(NULL, pkey);
180
294
	if (i < 0) {
181
		SSLerrorx(SSL_R_UNKNOWN_CERTIFICATE_TYPE);
182
		return (0);
183
	}
184
185
294
	if (c->pkeys[i].x509 != NULL) {
186
		EVP_PKEY *pktmp;
187
294
		pktmp = X509_get_pubkey(c->pkeys[i].x509);
188
294
		EVP_PKEY_copy_parameters(pktmp, pkey);
189
294
		EVP_PKEY_free(pktmp);
190
294
		ERR_clear_error();
191
192
		/*
193
		 * Don't check the public/private key, this is mostly
194
		 * for smart cards.
195
		 */
196

588
		if ((pkey->type == EVP_PKEY_RSA) &&
197
294
			(RSA_flags(pkey->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
198
;
199
		else
200
294
		if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
201
			X509_free(c->pkeys[i].x509);
202
			c->pkeys[i].x509 = NULL;
203
			return 0;
204
		}
205
294
	}
206
207
294
	EVP_PKEY_free(c->pkeys[i].privatekey);
208
294
	CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
209
294
	c->pkeys[i].privatekey = pkey;
210
294
	c->key = &(c->pkeys[i]);
211
212
294
	c->valid = 0;
213
294
	return (1);
214
294
}
215
216
int
217
SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
218
{
219
	int j, ret = 0;
220
	BIO *in;
221
	RSA *rsa = NULL;
222
223
	in = BIO_new(BIO_s_file_internal());
224
	if (in == NULL) {
225
		SSLerror(ssl, ERR_R_BUF_LIB);
226
		goto end;
227
	}
228
229
	if (BIO_read_filename(in, file) <= 0) {
230
		SSLerror(ssl, ERR_R_SYS_LIB);
231
		goto end;
232
	}
233
	if (type == SSL_FILETYPE_ASN1) {
234
		j = ERR_R_ASN1_LIB;
235
		rsa = d2i_RSAPrivateKey_bio(in, NULL);
236
	} else if (type == SSL_FILETYPE_PEM) {
237
		j = ERR_R_PEM_LIB;
238
		rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
239
		    ssl->ctx->default_passwd_callback,
240
		    ssl->ctx->default_passwd_callback_userdata);
241
	} else {
242
		SSLerror(ssl, SSL_R_BAD_SSL_FILETYPE);
243
		goto end;
244
	}
245
	if (rsa == NULL) {
246
		SSLerror(ssl, j);
247
		goto end;
248
	}
249
	ret = SSL_use_RSAPrivateKey(ssl, rsa);
250
	RSA_free(rsa);
251
end:
252
	BIO_free(in);
253
	return (ret);
254
}
255
256
int
257
SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len)
258
{
259
	int ret;
260
	const unsigned char *p;
261
	RSA *rsa;
262
263
	p = d;
264
	if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) {
265
		SSLerror(ssl, ERR_R_ASN1_LIB);
266
		return (0);
267
	}
268
269
	ret = SSL_use_RSAPrivateKey(ssl, rsa);
270
	RSA_free(rsa);
271
	return (ret);
272
}
273
274
int
275
SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
276
{
277
	int ret;
278
279
	if (pkey == NULL) {
280
		SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER);
281
		return (0);
282
	}
283
	if (!ssl_cert_inst(&ssl->cert)) {
284
		SSLerror(ssl, ERR_R_MALLOC_FAILURE);
285
		return (0);
286
	}
287
	ret = ssl_set_pkey(ssl->cert, pkey);
288
	return (ret);
289
}
290
291
int
292
SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
293
{
294
	int j, ret = 0;
295
	BIO *in;
296
	EVP_PKEY *pkey = NULL;
297
298
	in = BIO_new(BIO_s_file_internal());
299
	if (in == NULL) {
300
		SSLerror(ssl, ERR_R_BUF_LIB);
301
		goto end;
302
	}
303
304
	if (BIO_read_filename(in, file) <= 0) {
305
		SSLerror(ssl, ERR_R_SYS_LIB);
306
		goto end;
307
	}
308
	if (type == SSL_FILETYPE_PEM) {
309
		j = ERR_R_PEM_LIB;
310
		pkey = PEM_read_bio_PrivateKey(in, NULL,
311
		    ssl->ctx->default_passwd_callback,
312
		    ssl->ctx->default_passwd_callback_userdata);
313
	} else if (type == SSL_FILETYPE_ASN1) {
314
		j = ERR_R_ASN1_LIB;
315
		pkey = d2i_PrivateKey_bio(in, NULL);
316
	} else {
317
		SSLerror(ssl, SSL_R_BAD_SSL_FILETYPE);
318
		goto end;
319
	}
320
	if (pkey == NULL) {
321
		SSLerror(ssl, j);
322
		goto end;
323
	}
324
	ret = SSL_use_PrivateKey(ssl, pkey);
325
	EVP_PKEY_free(pkey);
326
end:
327
	BIO_free(in);
328
	return (ret);
329
}
330
331
int
332
SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len)
333
{
334
	int ret;
335
	const unsigned char *p;
336
	EVP_PKEY *pkey;
337
338
	p = d;
339
	if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) {
340
		SSLerror(ssl, ERR_R_ASN1_LIB);
341
		return (0);
342
	}
343
344
	ret = SSL_use_PrivateKey(ssl, pkey);
345
	EVP_PKEY_free(pkey);
346
	return (ret);
347
}
348
349
int
350
SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
351
{
352
588
	if (x == NULL) {
353
		SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
354
		return (0);
355
	}
356
294
	if (!ssl_cert_inst(&ctx->internal->cert)) {
357
		SSLerrorx(ERR_R_MALLOC_FAILURE);
358
		return (0);
359
	}
360
294
	return (ssl_set_cert(ctx->internal->cert, x));
361
294
}
362
363
static int
364
ssl_set_cert(CERT *c, X509 *x)
365
{
366
	EVP_PKEY *pkey;
367
	int i;
368
369
588
	pkey = X509_get_pubkey(x);
370
294
	if (pkey == NULL) {
371
		SSLerrorx(SSL_R_X509_LIB);
372
		return (0);
373
	}
374
375
294
	i = ssl_cert_type(x, pkey);
376
294
	if (i < 0) {
377
		SSLerrorx(SSL_R_UNKNOWN_CERTIFICATE_TYPE);
378
		EVP_PKEY_free(pkey);
379
		return (0);
380
	}
381
382
294
	if (c->pkeys[i].privatekey != NULL) {
383
		EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
384
		ERR_clear_error();
385
386
		/*
387
		 * Don't check the public/private key, this is mostly
388
		 * for smart cards.
389
		 */
390
		if ((c->pkeys[i].privatekey->type == EVP_PKEY_RSA) &&
391
			(RSA_flags(c->pkeys[i].privatekey->pkey.rsa) &
392
		RSA_METHOD_FLAG_NO_CHECK))
393
;
394
		else
395
		if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
396
			/*
397
			 * don't fail for a cert/key mismatch, just free
398
			 * current private key (when switching to a different
399
			 * cert & key, first this function should be used,
400
			 * then ssl_set_pkey
401
			 */
402
			EVP_PKEY_free(c->pkeys[i].privatekey);
403
			c->pkeys[i].privatekey = NULL;
404
			/* clear error queue */
405
			ERR_clear_error();
406
		}
407
	}
408
409
294
	EVP_PKEY_free(pkey);
410
411
294
	X509_free(c->pkeys[i].x509);
412
294
	CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
413
294
	c->pkeys[i].x509 = x;
414
294
	c->key = &(c->pkeys[i]);
415
416
294
	c->valid = 0;
417
294
	return (1);
418
294
}
419
420
int
421
SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
422
{
423
	int j;
424
	BIO *in;
425
	int ret = 0;
426
	X509 *x = NULL;
427
428
360
	in = BIO_new(BIO_s_file_internal());
429
180
	if (in == NULL) {
430
		SSLerrorx(ERR_R_BUF_LIB);
431
		goto end;
432
	}
433
434
180
	if (BIO_read_filename(in, file) <= 0) {
435
		SSLerrorx(ERR_R_SYS_LIB);
436
		goto end;
437
	}
438
180
	if (type == SSL_FILETYPE_ASN1) {
439
		j = ERR_R_ASN1_LIB;
440
		x = d2i_X509_bio(in, NULL);
441
180
	} else if (type == SSL_FILETYPE_PEM) {
442
		j = ERR_R_PEM_LIB;
443
360
		x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback,
444
180
		    ctx->default_passwd_callback_userdata);
445
	} else {
446
		SSLerrorx(SSL_R_BAD_SSL_FILETYPE);
447
		goto end;
448
	}
449
450
180
	if (x == NULL) {
451
		SSLerrorx(j);
452
		goto end;
453
	}
454
455
180
	ret = SSL_CTX_use_certificate(ctx, x);
456
end:
457
180
	X509_free(x);
458
180
	BIO_free(in);
459
180
	return (ret);
460
}
461
462
int
463
SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
464
{
465
	X509 *x;
466
	int ret;
467
468
	x = d2i_X509(NULL, &d,(long)len);
469
	if (x == NULL) {
470
		SSLerrorx(ERR_R_ASN1_LIB);
471
		return (0);
472
	}
473
474
	ret = SSL_CTX_use_certificate(ctx, x);
475
	X509_free(x);
476
	return (ret);
477
}
478
479
int
480
SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
481
{
482
	int ret;
483
	EVP_PKEY *pkey;
484
485
	if (rsa == NULL) {
486
		SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
487
		return (0);
488
	}
489
	if (!ssl_cert_inst(&ctx->internal->cert)) {
490
		SSLerrorx(ERR_R_MALLOC_FAILURE);
491
		return (0);
492
	}
493
	if ((pkey = EVP_PKEY_new()) == NULL) {
494
		SSLerrorx(ERR_R_EVP_LIB);
495
		return (0);
496
	}
497
498
	RSA_up_ref(rsa);
499
	EVP_PKEY_assign_RSA(pkey, rsa);
500
501
	ret = ssl_set_pkey(ctx->internal->cert, pkey);
502
	EVP_PKEY_free(pkey);
503
	return (ret);
504
}
505
506
int
507
SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
508
{
509
	int j, ret = 0;
510
	BIO *in;
511
	RSA *rsa = NULL;
512
513
	in = BIO_new(BIO_s_file_internal());
514
	if (in == NULL) {
515
		SSLerrorx(ERR_R_BUF_LIB);
516
		goto end;
517
	}
518
519
	if (BIO_read_filename(in, file) <= 0) {
520
		SSLerrorx(ERR_R_SYS_LIB);
521
		goto end;
522
	}
523
	if (type == SSL_FILETYPE_ASN1) {
524
		j = ERR_R_ASN1_LIB;
525
		rsa = d2i_RSAPrivateKey_bio(in, NULL);
526
	} else if (type == SSL_FILETYPE_PEM) {
527
		j = ERR_R_PEM_LIB;
528
		rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
529
		    ctx->default_passwd_callback,
530
		    ctx->default_passwd_callback_userdata);
531
	} else {
532
		SSLerrorx(SSL_R_BAD_SSL_FILETYPE);
533
		goto end;
534
	}
535
	if (rsa == NULL) {
536
		SSLerrorx(j);
537
		goto end;
538
	}
539
	ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
540
	RSA_free(rsa);
541
end:
542
	BIO_free(in);
543
	return (ret);
544
}
545
546
int
547
SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
548
{
549
	int ret;
550
	const unsigned char *p;
551
	RSA *rsa;
552
553
	p = d;
554
	if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) {
555
		SSLerrorx(ERR_R_ASN1_LIB);
556
		return (0);
557
	}
558
559
	ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
560
	RSA_free(rsa);
561
	return (ret);
562
}
563
564
int
565
SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
566
{
567
588
	if (pkey == NULL) {
568
		SSLerrorx(ERR_R_PASSED_NULL_PARAMETER);
569
		return (0);
570
	}
571
294
	if (!ssl_cert_inst(&ctx->internal->cert)) {
572
		SSLerrorx(ERR_R_MALLOC_FAILURE);
573
		return (0);
574
	}
575
294
	return (ssl_set_pkey(ctx->internal->cert, pkey));
576
294
}
577
578
int
579
SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
580
{
581
	int j, ret = 0;
582
	BIO *in;
583
	EVP_PKEY *pkey = NULL;
584
585
564
	in = BIO_new(BIO_s_file_internal());
586
282
	if (in == NULL) {
587
		SSLerrorx(ERR_R_BUF_LIB);
588
		goto end;
589
	}
590
591
282
	if (BIO_read_filename(in, file) <= 0) {
592
		SSLerrorx(ERR_R_SYS_LIB);
593
		goto end;
594
	}
595
282
	if (type == SSL_FILETYPE_PEM) {
596
		j = ERR_R_PEM_LIB;
597
282
		pkey = PEM_read_bio_PrivateKey(in, NULL,
598
282
		    ctx->default_passwd_callback,
599
282
		    ctx->default_passwd_callback_userdata);
600
282
	} else if (type == SSL_FILETYPE_ASN1) {
601
		j = ERR_R_ASN1_LIB;
602
		pkey = d2i_PrivateKey_bio(in, NULL);
603
	} else {
604
		SSLerrorx(SSL_R_BAD_SSL_FILETYPE);
605
		goto end;
606
	}
607
282
	if (pkey == NULL) {
608
		SSLerrorx(j);
609
		goto end;
610
	}
611
282
	ret = SSL_CTX_use_PrivateKey(ctx, pkey);
612
282
	EVP_PKEY_free(pkey);
613
end:
614
282
	BIO_free(in);
615
282
	return (ret);
616
}
617
618
int
619
SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d,
620
    long len)
621
{
622
	int ret;
623
	const unsigned char *p;
624
	EVP_PKEY *pkey;
625
626
	p = d;
627
	if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) {
628
		SSLerrorx(ERR_R_ASN1_LIB);
629
		return (0);
630
	}
631
632
	ret = SSL_CTX_use_PrivateKey(ctx, pkey);
633
	EVP_PKEY_free(pkey);
634
	return (ret);
635
}
636
637
638
/*
639
 * Read a bio that contains our certificate in "PEM" format,
640
 * possibly followed by a sequence of CA certificates that should be
641
 * sent to the peer in the Certificate message.
642
 */
643
static int
644
ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in)
645
{
646
	int ret = 0;
647
	X509 *x = NULL;
648
649
228
	ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
650
651
228
	x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
652
114
	    ctx->default_passwd_callback_userdata);
653
114
	if (x == NULL) {
654
		SSLerrorx(ERR_R_PEM_LIB);
655
		goto end;
656
	}
657
658
114
	ret = SSL_CTX_use_certificate(ctx, x);
659
660
114
	if (ERR_peek_error() != 0)
661
		ret = 0;
662
	/* Key/certificate mismatch doesn't imply ret==0 ... */
663
114
	if (ret) {
664
		/*
665
		 * If we could set up our certificate, now proceed to
666
		 * the CA certificates.
667
		 */
668
		X509 *ca;
669
		int r;
670
		unsigned long err;
671
672
114
		sk_X509_pop_free(ctx->extra_certs, X509_free);
673
114
		ctx->extra_certs = NULL;
674
675
342
		while ((ca = PEM_read_bio_X509(in, NULL,
676
114
		    ctx->default_passwd_callback,
677
228
		    ctx->default_passwd_callback_userdata)) != NULL) {
678
			r = SSL_CTX_add_extra_chain_cert(ctx, ca);
679
			if (!r) {
680
				X509_free(ca);
681
				ret = 0;
682
				goto end;
683
			}
684
			/*
685
			 * Note that we must not free r if it was successfully
686
			 * added to the chain (while we must free the main
687
			 * certificate, since its reference count is increased
688
			 * by SSL_CTX_use_certificate).
689
			 */
690
		}
691
692
		/* When the while loop ends, it's usually just EOF. */
693
114
		err = ERR_peek_last_error();
694

228
		if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
695
114
		    ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
696
114
			ERR_clear_error();
697
		else
698
			ret = 0; /* some real error */
699
114
	}
700
701
end:
702
114
	X509_free(x);
703
114
	return (ret);
704
114
}
705
706
int
707
SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
708
{
709
	BIO *in;
710
	int ret = 0;
711
712
204
	in = BIO_new(BIO_s_file_internal());
713
102
	if (in == NULL) {
714
		SSLerrorx(ERR_R_BUF_LIB);
715
		goto end;
716
	}
717
718
102
	if (BIO_read_filename(in, file) <= 0) {
719
		SSLerrorx(ERR_R_SYS_LIB);
720
		goto end;
721
	}
722
723
102
	ret = ssl_ctx_use_certificate_chain_bio(ctx, in);
724
725
end:
726
102
	BIO_free(in);
727
102
	return (ret);
728
}
729
730
int
731
SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len)
732
{
733
	BIO *in;
734
	int ret = 0;
735
736
24
	in = BIO_new_mem_buf(buf, len);
737
12
	if (in == NULL) {
738
		SSLerrorx(ERR_R_BUF_LIB);
739
		goto end;
740
	}
741
742
12
	ret = ssl_ctx_use_certificate_chain_bio(ctx, in);
743
744
end:
745
12
	BIO_free(in);
746
12
	return (ret);
747
}